As CMMI Consultant you may be asked what are the Data Privacy Acts available / applicable globally. As CMMI Consultant you can use the information given below to answer:

Information Security, Standards 0

15th July, 2019

In growing international business market, the privacy of personnel information of an Individual has becoming very critical and globally different countries have come-up with different laws related to information privacy laws/data protection laws to secure the data of an individual. Currently more than 80 countries including all Europe, America, Some Latin America countries, Asia, Africa and Other Independent Territories are implementing data protection/privacy rules. The details are as under:

Europe: European Union is the first to come with a comprehensive standard in April 2016 known as General Data Protection Regulation and same in Implementation since May 2018 with objective to focus on the fundamental rights and freedoms of persons to the protection of their personal data and free movement of personal data. The GDPR Act provides more control to individuals towards their personal data. It also unifies the regulation within the EU and thus provides a simplified regulatory environment for international business. This act will apply on all the EU members states.

United State: United Sate was the first to come-up with fair information practice principles in 1970. There is no single comprehensive law regulating the acquisition, storage, or use of personal data in the U.S. Still there are in USA but still there are several federal laws applicable in different areas.

List of USA applicable laws, regulations and directives related to the protection of information systems is as under: U.S. Fair Credit Reporting Act., U.S. Racketeer Influenced and Corrupt Organization (RICO) Act, Family Educational Rights and Privacy Act (FERPA), U.S. Privacy Act, U.S. Medical Computer Crime Act, U.S. Federal Computer Crime Act, U.S. Computer Fraud and Abuse Act, U.S. Electronic Communications Privacy Act (ECPA), U.S. Computer Security Act (Repealed by the Federal Information Security Management Act of 2002), 1988 U.S. Video Privacy Protection Act, United Kingdom Computer Misuse Act, U.S. Federal Sentencing Guidelines, OECD Guidelines to Serve as a Total Security Framework, Communications Assistance for Law Enforcement Act, Council Directive on Data Protection for the European Union (EU), U.S. Economic and Protection of Proprietary Information Act, Health Insurance Portability and Accountability Act (HIPAA), U.S. Digital Millennium Copyright Act (DMCA), U.S. Uniform Computer Information Transactions Act (UCITA), U.S. Congress Electronic Signatures in Global National Commerce Act (“ESIGN”), U.S. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act, Homeland Security Act (HSA) and Federal Information Security Management Act.

USA developed Safe Harbor Framework to maintain bridge with different privacy approaches between USA and countries of European Union.

Canada: In Canada The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out the ground rules on how businesses must handle personal information in the course of commercial activity. ac The PIPEDA brings Canada into compliance with EU data protection law.

Australia: Data Privacy Act in Australia regulates the handling of the personal information.

China: Cybersecurity Law and China Data Protection Regulations (CDPR) indicates focus of China in cybersecurity and personal data protection.

India: In India usage of personal data or information of citizens is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under Section 43A of the Information Technology Act, 2000. In year 2018 Indian Government has come up with a Personal Data Protection Bill 2018 based on the recommendations of Justice Sri Krishna Committee and clues from EU’s GDPR and regulations from other countries. The Bill is still not passed.

ISO 27552 – Standard for Privacy Information Management System (PIMS):

International Organization for Standardization through its Technical committee ISO/IEC JTC 1/SC 27 come up with a new standard ISO/IEC 27552 as privacy extension to ISO 27001 Standard. The ISO/IEC 27552 provides additional requirements to establish, implement, maintain, and continually improve the Privacy Information Management System. The standard gives framework for PII Controllers and Processors to manage the privacy controls and reduce the risk to the PII.

The Standard is having the following annexures showing mapping with different standards:

Annexure A:     Contains specific objectives and controls for PII Controllers.

Annexure B:     Contains specific objectives and controls for PII Processors

Annexure C:     Contains Mapping of article 5 to 42, 44 to 49 of GDPR Act.

Annexure D:     Provides a mapping to ISO/IEC 29100 Information technology — Security techniques — Privacy framework

Annexure E:     Provide mapping of ISO/IEC 27552 controls against ISO/IEC 27018 – code of practice that focuses on protection of personal data in the cloud and mapping against ISO/IEC 29151 Information technology — Security techniques — Code of practice for personally identifiable information protection

Annexure F:      Explains terms and alternative terms

Annexure G:     Provide guidance on how to implement ISO/ICE 27552 to both ISO/IEC 27001 and ISO/IEC 27002

This standard is expected to be published in 2019 and will be good tool for the organizations to implement Privacy Information Management System (PIMS).